I am using a template "WCF Data Services with KendoUI" from the Starter Kit for my project and I am somewhat a newbie.
I have been searching for a good example of how to do proper odata authentication and data validation.
I have seen multiple approaches including
"OnStartProcessingRequest", "QueryInterceptor" and more...
I have requirements.
--Not all request endpoint require authentication (from trusted domain)
--Some READ requests require authentication, some don't
--want to incorporate openauthen
--allow .net membership also
I just wanted to hear if the experts here think would be the best practices for this.
Any applicable examples would be deeply appreciated.
Many thanks.1 Answer, 1 is accepted
Before starting to implement your security you should consider how you services will be used (internet/intranet), how user's identity will be verified (username + password or using domain accounts) and against which trusted sources (local application specific lookup tables or Active Directory), do you need any transport security and so on. Without having clear vision what should be the security set up for you applications and environment there is no way to set for a single mechanism and implementation.
When looking how to secure your Data Services you should now that services generated by OpenAccess work the same way as the Microsoft ones so any experience or knowledge that you have can be safely transferred to OpenAccess ones.
When you are hosting Data Services outside of IIS, you will have to deal with a lot of features that come out of the box with IIS-hosted services. Unfortunately there is very little information about the topic on the internet, but I have compiled a list of articles that can give you some directions:
- Securing WCF Data Services
- Hosting WCF Data Services - Section "Defining a Custom Data Service Host"
- Authentication Server Side Hooks
- Authentication Client Side Hooks
- Authentication- Custom Basic Authentication
- WCF Data Services blog posts tagged with Authentication tag
- Mike Taulty's blog post about Authentication and ADO.NET Services
Speaking of data validation you should consider using ChangeInterceptors for each endpoint that needs validation. You can find more information at:
- Julie Lerman - Handling Entity Framework Validations in WCF Data Services
- Beth Massi - ADO.NET Data Services - Intercepting Queries and Adding Validation
Regards,
Telerik